Ping FTR: Mebromi BIOS Virus Out in the Wild

[~BD~]

FromTheRafters wrote:
> "~BD~"<~BD~@nomail.afraid.org> wrote in message
> news:j6sfd0$26j$1@dont-email.me...
>> You've advised that this in impossible!
>
> No I haven't. I believe I told you that there was not yet enough room in the
> BIOS for a virus *infection* in the BIOS. I also am the one that pointed you to
> several papers on PCI rootkits and such.


Forgive me if I misunderstood. I have always valued your help and advice.


> LoJack for Laptops comes closer to being a virus than does Mebromi.
>
> I think that soon there will be a virus that infects the BIOS and have always
> thought so, but it may not behave like your typical malware virus.


Such a virus could render a computer more or less useless? Would a
cost-effective repair be possible do you think?


>> Your comments requested on this item:-
>>
>> **
>>
>> Security specialists have recently discovered a virus that makes its way into
>> the BIOS, making it very hard to get rid of using current commercial
>> anti-virus solutions.
>
> Those security specialists should explain to me how Mebromi qualifies
> as a virus. While it is a PE file infector, I don't see any recursive
> replication going on overall. Before any discussion with them, I'd have
> to ascertain whether or not they subscribe to the "all worms are viruses"
> idea - and *then* ask them to explain how Mebromi even qualifies as a
worm
> once that idea is despensed with.
>
> AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS as
> a guardian for that MBR rootkit (persistence). In addition, a kernel mode
> rootkit that hides an additional downloader's actions. It infects two specific
> system PE files as a startup method for said stealth downloader.


I know you like to be 'correct' in the use of terms, FTR (and rightly
so) - but the *effect* is what *really* matters IMO!


> If it had *infected* those programs with a copy of its own replicative
> function it would *then* qualify as a virus (if there was recursion). In
> order for the *BIOS* to be said to have been *infected* by a *virus*
> there would have to be replicative code in the BIOS itself, and the
> code it writes to the disk would have to have reciprocating code
> to reinfect the BIOS if the administrator had flashed it (like LoJack
> claims to do) - you need that recursion to make this a virus, yet as
> I understand it, only the Mebromi installation routine has the BIOS
> flash capability - not the infestation itself. So, it remains a trojan
> with respect to BIOS infection.
>
> I could be wrong, but this is how I understand it to be.


I accept what you say.

> [...]
>
> Do you have any specific on topic questions for the spyware group?


Yes. How would anyone know that they had been infected in this manner if
their anti-malware programmes didn't flag same?


> I think anything about this Mebromi is relevant to spyware, but they
> may not be interested in any of my opinions on the matter of malware
> type classification.
>
> P.S. I don't mind the crosspost to a.p.s-e<waves>.

Dave waves back! ;-)

[FromTheRafters]

"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:j6u832$in8$1@dont-email.me...
> FromTheRafters wrote:
>> "~BD~"<~BD~@nomail.afraid.org> wrote in message
>> news:j6sfd0$26j$1@dont-email.me...
>>> You've advised that this in impossible!
>>
>> No I haven't. I believe I told you that there was not yet enough room in the
>> BIOS for a virus *infection* in the BIOS. I also am the one that pointed you
>> to
>> several papers on PCI rootkits and such.
>
>
> Forgive me if I misunderstood. I have always valued your help and advice.
>
>
>> LoJack for Laptops comes closer to being a virus than does Mebromi.
>>
>> I think that soon there will be a virus that infects the BIOS and have always
>> thought so, but it may not behave like your typical malware virus.
>
>
> Such a virus could render a computer more or less useless?

It could be benign as well.

> Would a cost-effective repair be possible do you think?

Of course, what can be done in software can be undone in software. This
is less about the virus aspect and more about persistence and stealth.

Once you know it is there, removing it is a breeze.

[...]

>> AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS as
>> a guardian for that MBR rootkit (persistence). In addition, a kernel mode
>> rootkit that hides an additional downloader's actions. It infects two
>> specific
>> system PE files as a startup method for said stealth downloader.
>
> I know you like to be 'correct' in the use of terms, FTR (and rightly so) -
> but the *effect* is what *really* matters IMO!

And that *effect* depends entirely on what it *is* rather than what
people think it is.

[...]

>> Do you have any specific on topic questions for the spyware group?
>
> Yes. How would anyone know that they had been infected in this manner if their
> anti-malware programmes didn't flag same?

They wouldn't.

But these things don't exist in a vacuum. The chances are great that such
an infection would be used to persistently hide the activities of some
associated malware. That associated malware may well be detected
from outside the stealthed environment. Usually, there will be network
activity associated with the malware for instance.

[...]

[~BD~]

FromTheRafters wrote:
> "~BD~"<~BD~@nomail.afraid.org> wrote in message
> news:j6u832$in8$1@dont-email.me...
>> FromTheRafters wrote:
>>> "~BD~"<~BD~@nomail.afraid.org> wrote in message
>>> news:j6sfd0$26j$1@dont-email.me...
>>>> You've advised that this in impossible!
>>>
>>> No I haven't. I believe I told you that there was not yet enough room in the
>>> BIOS for a virus *infection* in the BIOS. I also am the one that pointed you
>>> to
>>> several papers on PCI rootkits and such.
>>
>>
>> Forgive me if I misunderstood. I have always valued your help and advice.
>>
>>
>>> LoJack for Laptops comes closer to being a virus than does Mebromi.
>>>
>>> I think that soon there will be a virus that infects the BIOS and have always
>>> thought so, but it may not behave like your typical malware virus.
>>
>>
>> Such a virus could render a computer more or less useless?
>
> It could be benign as well.
>
>> Would a cost-effective repair be possible do you think?
>
> Of course, what can be done in software can be undone in software. This
> is less about the virus aspect and more about persistence and stealth.
>
> Once you know it is there, removing it is a breeze.


Ah! Right on the nail! :-)


> [...]
>
>>> AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS as
>>> a guardian for that MBR rootkit (persistence). In addition, a kernel mode
>>> rootkit that hides an additional downloader's actions. It infects two
>>> specific
>>> system PE files as a startup method for said stealth downloader.
>>
>> I know you like to be 'correct' in the use of terms, FTR (and rightly so) -
>> but the *effect* is what *really* matters IMO!
>
> And that *effect* depends entirely on what it *is* rather than what
> people think it is.
>
> [...]

OK - I'll not argue that point.

>>> Do you have any specific on topic questions for the spyware group?
>>
>> Yes. How would anyone know that they had been infected in this manner if their
>> anti-malware programmes didn't flag same?
>
> They wouldn't.

*Exactly*!

> But these things don't exist in a vacuum. The chances are great that such
> an infection would be used to persistently hide the activities of some
> associated malware. That associated malware may well be detected
> from outside the stealthed environment. Usually, there will be network
> activity associated with the malware for instance.

Still not easy to detect, especially if one isn't looking for same!

Thanks for your answers, FTR. :-)